Secure network coding for multi-resolution wireless transmission

ABSTRACT

Described herein is a method and system for hierarchical wireless video with network coding which limits encryption operations to a critical set of network coding coefficients in combination with multi-resolution video coding. Such a method and system achieves hierarchical fidelity levels, robustness against wireless packet loss and efficient security by exploiting the algebraic structure of network coding.

CROSS REFERENCE TO RELATED APPLICATIONS

This application is a continuation of co-pending U.S. patent applicationSer. No. 13/071,674 filed on Mar. 25, 2011 which claims the benefit,under 35 U.S.C. §119(e), of Provisional application No. 61/317,532 filedMar. 25, 2010 which application is hereby incorporated herein byreference in its entirety.

STATEMENT REGARDING FEDERALLY SPONSORED RESEARCH

This invention was made with government support under Grant No.FA9550-06-1-0155 awarded by the U.S. Air Force and under Contract No.N66001-08-C-2013 awarded by the Space and Naval Warfare Systems Command.The government has certain rights to this invention.

FIELD OF THE INVENTION

The concepts described herein generally relate to network coding schemesand more particularly to secure network coding for multi-resolutionwireless video streaming.

BACKGROUND OF THE INVENTION

As is known in the art, there has been abundant research aiming atensuring a reasonable quality of video experience for wireless users.

As is also known, the task of providing video streaming of variablequality to a heterogeneous set of receivers with different subscriptionlevels is still an open issue. One challenge is to serve wireless userswith video streams that: (i) are of different quality, depending onsubscription level; and (ii) provide security guarantees to ensure thatonly authorized users will access the protected video streams.

In order to illustrate this problem, one can consider the scenarioillustrated in FIG. 1, in which nodes A, B and C are interested in avideo stream served by node S, but they have paid for different videoqualities, for example different layers of a multi-resolution videostream. Node S can connect to the receivers through three relay nodesR1, R2, R3 in wireless range, but with poor channel quality. Due atleast in part to the noisy nature of the wireless medium, at least somepackets transmitted by node S are lost. Reliable video transmission,however, requires node S to retransmit the lost packets using feedbackreceived from nodes A, B and C. Moreover, relays R1, R2, R3 need tosynchronize and schedule transmissions to ensure that each node A, B, Creceives all packets without duplicates. Under this scenario, videoquality can decrease, because some video frames are not delivered in atimely fashion and are therefore skipped.

Moreover, given the broadcast property of the wireless medium, nodesthat did not have subscription access to certain layers can potentiallyoverhear the transmitted packets. In FIG. 1, for example, node B couldoverhear layer 3 frames. Preventing unauthorized access to certainlayers in the presence of relay nodes thus imposes a challengingsecurity problem, in particular because encryption of the complete videostream is often deemed unfeasible in resource-limited mobile terminals.

Furthermore, real time decoding of high-quality video already consumes agreat deal of processing power, and can become overwhelming inconjunction with resources required for the decryption of large files.Moreover, a lossy wireless medium imposes additional requirements to thesecurity mechanisms, such as robustness to losses and limitedsynchronization to prevent scheduling problems.

To reduce the amount of processing power required, one can reduce thecomplexity of the decoding by partially encrypting the video data.However, it is relatively difficult to evaluate the degree of securityprovided by partial encrypting schemes. The use of layered coding inwireless scenarios was seen as promising, but it is likely to yieldprioritization and scheduling problems. For instance, some prior artwork has shown that even a relatively simple prioritization of a baselayer is not a trivial task.

SUMMARY OF THE INVENTION

In order to address the above and other problems, a technique known asnetwork coding can be used. The network coding approach allows nodes ina network to combine different information flows by means of algebraicoperations. This principle leads to an unconventional way of increasingthroughput and robustness of highly volatile networks, such as wirelessnetworks, sensor networks and peer-to-peer systems. Network coding isknown to have benefits for wireless communications. It is also knownthat network coding can also reduce, or in some cases even minimize,decoding delay with feedback, making it suitable for multimediastreaming.

Described herein is a method and system for hierarchical wireless videowith network coding which limits encryption operations to apredetermined set of network coding coefficients in combination withmulti-resolution video coding. Such a method and system achieveshierarchical fidelity levels, robustness against wireless packet lossand efficient security by exploiting the algebraic structure of networkcoding.

Protection of a wireless video stream, while increasing the overallrobustness to losses and failures, reducing scheduling problems andadding resilience, is also possible using network coding. By viewing thenetwork code as a cipher, it is possible to create a lightweightcryptographic scheme that reduces the overall computational complexity.Thus, network coding inspires a reformulation of the typical separationbetween encryption and coding for error resilience.

It is unnecessary to perform security operations twice, since one cantake advantage of the inherent security of this paradigm. As describedherein, it is possible to take advantage of the above benefits ofnetwork coding to develop and analyze a novel secure network codingarchitecture for wireless video. Described herein is a multicast settingin which several devices, which are in general heterogeneous and havelimited processing capabilities, subscribe to multi-resolution streamingvideo in a lossy wireless network.

Also described are security operations performed at the network codinglayer which allow: (i) a reduction in the number of encryptionoperations while meeting the prescribed security guarantees, (ii) theresulting lightweight security scheme to be combined with efficientlayered codes and streaming protocols for wireless video and (iii)matching network coding with scalable video streams, relying on networkcoding's asynchronous operation and inherent robustness to link failuresand packet loss. Contributions described herein are as follows: (1) asecure scalable network coded method for video streaming designed fordelay-sensitive applications that exploits the robustness of networkcoding with manageable complexity and quantifiable security levels; (2)demonstration of how hierarchical codes for scalable video based onsuccessive refinement can be combined with network coding in scenarioswhere not all the nodes are authorized to receive the best equality; (3)analytical evaluation of the security properties of the novel schemedescribed herein, and discussion of performance and implementation in awireless streaming service; (4) a description of insights and systemconsiderations regarding implementation in real scenarios; and (5)preliminary proof-of-concept for a network coded video architecture inseveral wireless scenarios via simulation.

It has been found that by exploiting the algebraic structure of networkcoding, the triple goal of hierarchical fidelity levels, robustnessagainst wireless packet loss and efficient security can be achieved anda secure scalable network coded method and system for video streamingdesigned for delay-sensitive applications that exploits the robustnessof network coding with manageable complexity and quantifiable securitylevels is provided.

In accordance with the concepts, systems and techniques describedherein, encryption operations are limited to a critical set of networkcoding coefficients provided by a source node in combination withmulti-resolution video coding. The source node utilizes an n×nlower-triangular matrix A, in which n is the number of layers in a groupof pictures (GoP). Matrix A is used for encoding at the source only andeach non-zero entry of matrix A is an element a_(ij) chosen uniformly atrandom from all non-zero elements of the field F_(q)\{0}. The GoP isdivided into a plurality of vectors b ⁽¹⁾ . . . b ^((w)), each of thevectors having K symbols S₁-S_(K) which the k^(th) symbol of each vectorbelongs to a corresponding one of the n layers in the GoP and whereinthe number of vectors created is computed as size of GoP/n. At least onesymbol of each vector b ^((i)) is encrypted for each use of the encodingmatrix wherein the output of the operation of a stream cypher is denotedas a symbol P with a random key K as E(P,K). The encoding matrix A issuccessively applied to the information symbols to be sent to provideencoded information symbols which comprise a payload of one or morepackets. Each of the one or more packets comprise a header and thepayload and the header comprises locked and unlocked coefficients. Eachline of a first matrix A is encrypted with a corresponding layer keywherein the first matrix A corresponds to a locked coefficients matrix.An n×n identity matrix corresponding to the unlocked coefficients isprovided. The one or more packets are encoded in relay nodes inaccordance with a random linear network coding (RLNC) protocol whereinalgebraic coding is performed on unlocked coefficients, lockedcoefficients and the payload. The relay nodes identify the layer of apacket by looking at the first non-zero position in the unlockedcoefficients, and packets are mixed with packets of the same or lowerlayers only.

In accordance with a further aspect of the concepts, systems andtechniques described, a method for streaming video data in a networkincluding a server node, a plurality of relay nodes and one or morereceiver nodes, comprises performing a one-time key distribution betweenthe source node and each of the one or more receiver nodes and dividingthe video data into more than one group of pictures (GoP), each of themore than one group of pictures having a predetermined time of duration.For each group of pictures (GoP), generating at the source node an n×nlower-triangular matrix A, in which n is the number of layers in the GoPand using matrix A for encoding at the source only with each non-zeroentry of matrix A being an element a_(ij) chosen uniformly at randomfrom all non-zero elements of the field F_(q)\{0}. The method furtherincludes dividing the GoP into a plurality of vectors b ⁽¹⁾ . . . b^((w)), each of the vectors having K symbols S₁-S_(K) in which thek^(th) symbol of each vector belongs to a corresponding one of the nlayers in the GoP and wherein the number of vectors created is computedas size of GoP/n. The method further comprises encrypting at least onesymbol of each vector b ^((i)) for each use of the encoding matrixwherein the output of the operation of a stream cypher is denoted as asymbol P with a random key K as E(P,K) and applying the encoding matrixA successively to the information symbols to be sent to provide encodedinformation symbols which comprise a payload of one or more packets witheach of the one or more packets comprising a header and a payload. Themethod further comprises encrypting each line of a first matrix A with acorresponding layer key wherein the first matrix A corresponds to alocked coefficients matrix and generating an n×n identity matrixcorresponding to the unlocked coefficients wherein the header of thepacket comprises the locked and unlocked coefficients. The methodfurther comprises encoding the one or more packets in relay nodes inaccordance with a random linear network coding (RLNC) protocol whereinalgebraic coding is performed on unlocked coefficients, lockedcoefficients and payload and the relay nodes identify the layer of apacket by looking at the first non-zero position in the unlockedcoefficients, and packets are mixed with packets of the same or lowerlayers only.

In one embodiment, dividing the video data into more than one group ofpictures (GoP), comprises dividing the video data into more than oneGoPs having a time of duration of one (1) second.

In one embodiment, performing algebraic coding on unlocked coefficients,locked coefficients and the payload comprises performing algebraiccoding indistinguishably on unlocked coefficients, locked coefficientsand the payload.

In one embodiment, the method further comprises applying, via thereceivers, Gaussian elimination following standard RLNC over theunlocked coefficients and recovering the locked coefficients bydecrypting each line of the matrix with the corresponding key andobtaining plaintext by a substitution process.

In one embodiment, the protected symbols are encrypted with the key forthe lowest level in the network such that all legitimate participants inthe protocol can decrypt the locked symbols.

In one embodiment, the method further comprises sending a first line ofthe matrix unencrypted and starting the encryption of symbols at symbol2 so that layer 1 is accessible by all nodes in the network.

In one embodiment, only a single key per layer is used formulti-resolution encryption and wherein the single key is shared amongall receivers.

In one embodiment, encrypting comprises encrypting the base layer of theGoP in order to achieve maximum security.

In one embodiment, composing a payload of the packets includes formingthe payload by concatenating all the vectors A(E(b₁,K), b₂ . . .b_(x))^(T).

In one embodiment, encrypting each line of matrix A with a correspondinglayer key comprises encrypting each line of matrix A with acorresponding layer key via the source.

In one embodiment, a packet from an nth layer corresponds to the nthline of matrix A such that that each packet of layer x includes packetsfrom layers 1, . . . , x−1, x.

In one embodiment, the method further comprises sending a first line ofthe matrix unencrypted and starting the encryption of symbols at symbol2 so that layer 1 is accessible by all nodes in the network.

In one embodiment, when performing a linear combination of one packet oflayer x with a packet of layer y>x, the resulting packet belongs tolayer y.

In accordance with a still further aspect of the concepts, systems andtechniques described herein a method of generating packets fortransmission on a network comprises generating an n×n lower triangularmatrix in which each non-zero element is chosen uniformly at random outof all non-zero elements of a finite field, dividing plaintext intovectors of elements wherein a first position of each vector is encryptedusing a stream cipher and multiplying the matrix by each of the vectorsto generate a payload.

In one embodiment, coefficients of the matrix are locked using onedifferent key for each line of the matrix and placed in a header of thepackets.

In one embodiment, the method further includes generating one line of anidentity matrix for each line of the locked coefficients and sending thepackets out to the network.

In one embodiment, generating an n×n lower triangular matrix comprisesgenerating a 3×3 lower triangular matrix.

In one embodiment, dividing plaintext into vectors of elements comprisesdividing plaintext into vectors of 3 elements.

In accordance with a further aspect of the concepts, systems andtechniques described, a system for streaming video data in a networkcomprises a server node, a plurality of relay nodes and one or morereceiver nodes.

With this particular arrangement, a secure scalable network coded systemfor streaming video data in a network including a server node, aplurality of relay nodes and one or more receiver nodes is provided.

Also described herein is a method and system for hierarchical wirelessdata transmission with network coding which limits encryption operationsto a predetermined set of network coding coefficients in combinationwith multi-resolution data coding. Such a method and system achieveshierarchical fidelity levels, robustness against wireless packet lossand efficient security by exploiting the algebraic structure of networkcoding.

Protection of a wireless data stream, while increasing the overallrobustness to losses and failures, reducing scheduling problems andadding resilience, is also possible using network coding. By viewing thenetwork code as a cipher, it is possible to create a lightweightcryptographic scheme that reduces the overall computational complexity.Thus, network coding inspires a reformulation of the typical separationbetween encryption and coding for error resilience.

It is unnecessary to perform security operations twice, since one cantake advantage of the inherent security of this paradigm. As describedherein, it is possible to take advantage of the above benefits ofnetwork coding to develop and analyze a novel secure network codingarchitecture for wireless data including but not limited to video.Described herein is a multicast setting in which several devices, whichare in general heterogeneous and have limited processing capabilities,subscribe to multi-resolution streaming data in a lossy wirelessnetwork.

Also described are security operations performed at the network codinglayer which allow: (i) a reduction in the number of encryptionoperations while meeting the prescribed security guarantees, (ii) theresulting lightweight security scheme to be combined with efficientlayered codes and streaming protocols for wireless data and (iii)matching network coding with scalable data streams, relying on networkcoding's asynchronous operation and inherent robustness to link failuresand packet loss. Contributions described herein are as follows: (1) asecure scalable network coded method for data streaming designed fordelay-sensitive applications that exploits the robustness of networkcoding with manageable complexity and quantifiable security levels; (2)demonstration of how hierarchical codes for scalable data based uponsuccessive refinement can be combined with network coding in scenarioswhere not all the nodes are authorized to receive the best quality; (3)analytical evaluation of the security properties of the novel schemesdescribed herein, and discussion of performance and implementation in awireless streaming service; (4) a description of insights and systemconsiderations regarding implementation in real scenarios; and (5)preliminary proof-of-concept for a network coded data architecture inseveral wireless scenarios via simulation.

It has been found that by exploiting the algebraic structure of networkcoding, the triple goal of hierarchical fidelity levels, robustnessagainst wireless packet loss and efficient security can be achieved anda secure scalable network coded method and system for data streamingdesigned for delay-sensitive applications that exploits the robustnessof network coding with manageable complexity and quantifiable securitylevels is provided.

In accordance with a still further aspect of the concepts, systems andtechniques described herein a method and system for streaming data in anetwork including a server node, a plurality of relay nodes and one ormore receiver nodes, includes performing a one-time key distributionbetween the source node and each of the one or more receiver nodes;dividing the data into more than one group, each of the more than onegroup having a predetermined time of duration; for each group,generating at the source node an n×n lower-triangular matrix A, in whichn is the number of layers in the group wherein matrix A is used forencoding at the source only and each non-zero entry of matrix A is anelement a_(ij) chosen uniformly at random from all non-zero elements ofthe field F_(q)\{0}; dividing the group into a plurality of vectors b⁽¹⁾ . . . b ^((w)), each of the vectors having K symbols S₁-S_(K) inwhich the k^(th) symbol of each vector belongs to a corresponding one ofthe n layers in the group and wherein the number of vectors created iscomputed as size of group/n; encrypting at least one symbol of eachvector b ^((i)) for each use of the encoding matrix wherein the outputof the operation of a stream cypher is denoted as a symbol P with arandom key K as E(P,K); applying the encoding matrix A successively tothe information symbols to be sent to provide encoded informationsymbols which comprise a payload of one or more packets; encrypting eachline of a first matrix A with a corresponding layer key wherein thefirst matrix A corresponds to a locked coefficients matrix; generatingan n×n identity matrix corresponding to the unlocked coefficientswherein each of the one or more packets comprise a header and thepayload and wherein the header comprises the locked and unlockedcoefficients; encoding the one or more packets in relay nodes inaccordance with a random linear network coding (RLNC) protocol whereinalgebraic coding is performed on unlocked coefficients, lockedcoefficients and payload; and the relay nodes identify the layer of apacket by looking at the first non-zero position in the unlockedcoefficients, and packets are mixed with packets of the same or lowerlayers only.

In one embodiment, the time of duration is one second.

In one embodiment, performing algebraic coding on unlocked coefficients,locked coefficients and payload comprises performing algebraic codingindistinguishably on unlocked coefficients, locked coefficients andpayload.

In one embodiment, the system and method further comprise: applying, viathe receivers, Gaussian elimination over the unlocked coefficients;recovering the locked coefficients by decrypting each line of the matrixwith the corresponding key; and obtaining plaintext by a substitutionprocess.

In one embodiment, the protected symbols are encrypted with the key forthe lowest level in the network such that all legitimate participants inthe protocol can decrypt the locked symbols.

In one embodiment, the method and system further comprise: sending afirst line of the matrix unencrypted; and starting the encryption ofsymbols at symbol 2 so that layer 1 is accessible by all nodes in thenetwork.

In one embodiment, only a single key per layer is used formulti-resolution encryption and wherein the single key is shared amongall receivers.

In one embodiment, encrypting comprises encrypting the base layer of thegroup in order to achieve maximum security.

In one embodiment, composing a payload of the packets includes formingthe payload by concatenating all the vectors A(E(b₁,K), b₂, . . .b_(x))^(T).

In one embodiment, encrypting each line of matrix A with a correspondinglayer key comprises encrypting each line of matrix A with acorresponding layer key via the source.

In one embodiment, a packet from an nth layer corresponds to the nthline of matrix A such that that each packet of layer x includes packetsfrom layers 1, . . . , x−1, x.

In one embodiment, the method and system further comprise: sending afirst line of the matrix unencrypted; and starting the encryption ofsymbols at symbol 2 so that layer 1 is accessible by all nodes in thenetwork.

In one embodiment, performing a linear combination of one packet oflayer x with a packet of layer y>x, the resulting packet belongs tolayer y.

In accordance with a still further aspect of the concepts, systems andtechniques described herein a method and system for generating packetsfor transmission on a network, the method and system comprising:generating an n×n lower triangular matrix in which each non-zero elementis chosen uniformly at random out of all non-zero elements of a finitefield; dividing plaintext into vectors of elements wherein a firstposition of each vector is encrypted using a stream cipher; andmultiplying the matrix by each of the vectors to generate a payload.

In one embodiment, coefficients of the matrix are locked using onedifferent key for each line of the matrix and pieced in a header of thepackets.

In one embodiment, the method and system further comprise: generatingone line of an identity matrix for each line of the locked coefficients;and sending the packets out to the network.

In one embodiment, generating an n×n lower triangular matrix comprisesgenerating a 3×3 lower triangular matrix.

In one embodiment, dividing plaintext into vectors of elements comprisesdividing plaintext into vectors of three elements.

A system and method for data streaming in a network, the method andsystem comprising (a) a server node for dividing data into more than onegroup, each of the more than one group having a predetermined time ofduration wherein for each group, a source node generates an n×nlower-triangular matrix A, in which n is the number of layers in thegroup wherein matrix A is used for encoding at the source only and eachnon-zero entry of matrix A is an element a_(ij) chosen uniformly atrandom from all non-zero elements of the field F_(q)\{0} and the sourcedivides the group into a plurality of vectors b ⁽¹⁾ . . . b ^((w)), eachof the vectors having K symbols S₁-S_(K) in which the k^(th) symbol ofeach vector belongs to a corresponding one of the n layers in the groupand wherein the number of vectors created is computed as size of group nand wherein the source node encrypts at least one symbol of each vectorb ^((i)) for each use of the encoding matrix wherein the output of theoperation of a stream cypher is denoted as a symbol P with a random keyK as E(P,K) and applies the encoding matrix A successively to theinformation symbols to be sent to provide encoded information symbolswhich comprise a payload of one or more packets and the source nodeencrypts each line of a first matrix A with a corresponding layer keywherein the first matrix A corresponds to a locked coefficients matrixand generates an n×n identity matrix corresponding to the unlockedcoefficients wherein each of the one or more packets comprise a headerand the payload; (b) a plurality of relay nodes; and (c) one or morereceiver nodes wherein the header comprises the locked and unlockedcoefficients and encodes the one or more packets in the relay nodes inaccordance with a random linear network coding (RLNC) protocol whereinalgebraic coding is performed on unlocked coefficients, lockedcoefficients and payload and the relay nodes identify the layer of apacket by looking at the first non-zero position in the unlockedcoefficients, and packets are mixed with packets of the same or lowerlayers only.

BRIEF DESCRIPTION OF THE DRAWINGS

The foregoing features of this invention, as well as the inventionitself, may be more fully understood from the following description ofthe drawings in which:

FIG. 1 is a block diagram of a source S which streams video to threesink nodes A, B and C through relay nodes R1, R2 and R3 in a wirelesssetting.

FIG. 2 is a block diagram of a coding system in which a source nodegenerates multilayer video which is provided to a network encoder and istransmitted via a wireless transmission.

FIG. 3 is a layer model in which video data is divided into groups ofpictures (GoP) with the duration of 1 second. GoPs are then subdividedinto layers.

FIG. 4 is a diagrammatical illustration of operations performed at asource node.

FIG. 5 is an Illustration of the encryption of the locked coefficients.

FIG. 6 is a block diagram illustrating modules of one exemplary systemimplementation (entities that are external to the system, i.e. keydistribution and generation of a multiresolution stream, are in dashed.

FIG. 7 is plot of size of data to be encrypted for the scheme describedherein versus traditional encryption (encryption of the whole data).

FIG. 8 is a plot of played rate as a function of loss probabilityP_(loss), for the scheme described herein (NC1), three streams withnetwork coding (NC2) and without network coding (WoNC).

FIG. 9 is a plot of the load on the server as a function of the lossprobability P_(loss).

FIG. 10 is a plot of CDF versus decoding time for loss probabilityP_(loss)=0.4, for layer 3. 0 0.2 0.4 0.6 0.8 1

FIG. 11 is a plot of percentage of skipped segments versus probabilityof loss, P_(loss), for layer 3.

FIG. 12 is a plot of percentage of segments played in lower quality as afunction of the probability of loss P_(loss).

FIG. 13 is a plot of initial buffering delay as a function of lossprobability P_(loss), for layer 3.

FIG. 14 is a plot of played quality as a function of segment ID forP_(loss)=0.4.

DETAILED DESCRIPTION OF THE PREFERRED EMBODIMENTS

Referring now to FIG. 1, a source or server node S streams data, herecorresponding to video in this exemplary embodiment, to three sink orreceiver nodes A, B and C (or more simply “sinks” or “receivers”)through relay nodes R1, R2 and R3 in a wireless setting. The probabilityof dropping a packet in each link (in dashed) is denoted as P_(loss).The sinks A, B, C subscribed for different video quality, thus one mustdevise mechanisms to ensure reliable delivery over the wireless medium,and protection against unauthorized access. The operation of source nodeS is described in detail below (and particularly in conjunction withFIG. 4 below). It should be appreciated that references made herein to aparticular type of data (e.g. video data) and a particular number ofreceiver nodes (e.g. three receiver nodes) is not intended as and shouldnot be construed as limiting. Rather, such specific references are madeherein solely to promote clarity in the description of the figures andthe broad concepts described herein. Those of ordinary skill in the artwill readily appreciate that the concepts, systems and techniquesdescribed herein find application in streaming any type of data and arenot limited to streaming of video data.

Referring now to FIG. 2, a source node S generates multilayer video andprovides the multilayer video to a network encoder. Network encoderencodes the video (i.e. the video is fed to the network encoder) and issubsequently transmitted through a wireless network having relay nodesR1, R2, R3 (e.g. as shown in FIG. 1) to one or more destination orreceiving nodes (e.g. nodes A, B, C as shown in FIG. 1). The video isfed to a network encoder and then undergoes the transmission in awireless network.

One concept described herein is directed toward how to generate asecure, scalable stream by matching the multilayer video generated bysource node S with the network encoder.

In considering a network model and abstractions, one may consider anabstraction of a wireless network where the source S and relay nodes R1,R2, R3 only have access to the identifiers of the sinks (e.g. the IPaddresses). Thus, there is no centralized knowledge of the networktopology or of the encoding functions.

Referring briefly to FIG. 3, a layer model is shown. One can adopt amodel of video layers as described in Z. Liu, Y. Shen, S. S. Panwar, K.W. Ross, and Y. Wang, “Using layered video to provide incentives in p2plive streaming,” in P2P-TV '07: Proceedings of the 2007 workshop onPeer-to-peer streaming and IP-TV, New York, N.Y., USA, 2007, pp.311-316, ACM. It should, however, be appreciated that other layer modelsmay also be used in accordance with the concepts, systems and techniquesdescribed herein.

As illustrated in FIG. 3, video data is divided into “groups ofpictures” or GoPs (also interchangeably referred to herein as “videosegments”) with a constant time duration. In the exemplary embodimentdescribed, herein the GoPs have a duration of one (1) second. Otherdurations, may of course, also be used. The data is then encoded into Llayers (with four (4) layers being shown in FIG. 3); each layer isdivided into a fixed number of packets. It should be noted that eachlayer is dependent upon all previous layers. That is, layer 1 isnecessary to decode layer 2, layer 2 is necessary to decode layer 3,etc.

Consider a threat posed by a passive attacker with the followingcharacteristics: (1) the attacker can observe every transmission in thenetwork; (2) the attacker has full access to information about theencoding and decoding schemes; (3) the attacker is computationallybounded, and thus unable to break hard cryptographic primitives.

The goal of the attacker is to recover the multicast video stream at thehighest possible quality.

Network coding and security can be accomplished via random linearnetwork coding (RLNC). RLNC is a completely distributed scheme toimplement network coding protocols, whereby nodes draw severalcoefficients at random and use them to form linear combinations ofincoming packets. The resulting packet is sent along with the globalencoding vector, which records the cumulative effect of the lineartransformations suffered by the original packet while on its path fromthe source to the destination. The global encoding vector enables thereceivers to decode by means of Gaussian elimination.

Next described are concepts, techniques and systems related to securenetwork coding for video streaming.

Referring now to FIG. 4, the operations at a source node (e.g. sourcenode S in FIGS. 1 and 2) are illustrated in FIG. 4. In general overviewreference to the exemplary embodiment illustrated in FIG. 4, a sourcenode generates a 3×3 lower triangular matrix in which each non-zeroelement is chosen uniformly at random out of all non-zero elements of afinite field. The plaintext is divided into vectors of 3 elements andthe first position of each vector is encrypted using a stream cypher.The matrix is multiplied by each of the vectors to generate the payload.The coefficients of matrix A are locked using one different key for eachline of the matrix and placed in the header of the packets. One line ofthe identity matrix is generated for each line of the lockedcoefficients. The packets are then sent out to the network.

Proceeding now in more detail, the scheme starts with a one-time keydistribution between the source node and the receiver nodes (aka sinknodes). As keys can be reused, only one key per layer is needed formulti-resolution encryption (a single key for the single resolutionvideo case), that would be shared among all receiver nodes. Then, foreach GoP, the source node generates an n×n lower-triangular matrix A, inwhich n is the number of layers in the GoP. Matrix A is used forencoding at the source node only. Each non-zero entry of A is an elementa_(ij) chosen uniformly at random from all non-zero elements of thefield F_(q)\{0}.

The GoP is then divided into vectors b ⁽¹⁾ . . . b ^((w)), in which thefirst symbol of each vector belongs to layer 1, the next symbol belongsto layer 2, etc. The number of vectors created is [size of GoP/n] (itshould be appreciated that, for clarity, inconsistencies regarding theproportion between the number of symbols in the layers are ignored).Then, at least one symbol of each vector b ^((i)) is encrypted for eachuse of the encoding matrix. As layers are dependent-layer i is needed todecode layer i+1—a preferred approach is to encrypt the more informativebase layer of the GoP in order to achieve maximum security (in thiscase, b₁ for each vector b ^((i))). The output of the operation of astream cypher is denoted as a symbol P with a random key K as E(P,K).Finally, the payload of the packets is composed by applying the encodingmatrix A successively to the information symbols to be sent, i.e., thepayload is formed by concatenating all the vectors A(E(b₁,K), b₂, . . ., b_(x))^(T).

Next, the source encrypts each line of matrix A with the correspondinglayer key. Matrix A is the locked coefficients matrix. The source thengenerates an n×n identity matrix I, which corresponds to the unlockedcoefficients. The packets are comprised of the header and the payload.The header includes the locked and unlocked. Note that, because of thenested structure of coding, determined by the triangular matrix, apacket from layer 1 corresponds to the first line of matrix A, a packetfrom layer 2 corresponds to the second line of matrix A, etc, so thateach packet of layer x includes packets from layers 1, . . . , x−1, x(i.e. a packet from an nth layer corresponds to the nth line of matrix Asuch that that each packet of layer x includes packets from layers 1, .. . , x−1, x). Note also that when performing a linear combination ofone packet of layer x with a packet of layer y>x, the resulting packetbelongs to layer y.

The relays encode packets according to the rules of standard RLNCprotocols. The algebraic coding is performed indistinguishably onunlocked coefficients, locked coefficients and payload. Relays identifythe layer of a packet by looking at the first non-zero position in theunlocked coefficients, and packets are mixed with packets of the same orlower layers only.

The receiver nodes apply Gaussian elimination following standard RLNCover the unlocked coefficients. The locked coefficients are recovered bydecrypting each line of the matrix with the corresponding key. Theplaintext is then obtained by forward substitution. Note that theprotected symbols should be encrypted with the key for the lowest levelin the network (that is, K ₁), so that all legitimate participants inthe protocol can decrypt the locked symbols. If layer 1 is to beaccessible by all nodes in the network, the first line of the matrixshould be sent unencrypted and the encryption of symbols should start atsymbol 2.

Table I summarizes the scheme operation. What follows is an elaborationon the matching of multiresolution video and security, prioritizationand scheduling issues as well as a security analysis.

TABLE I Initialization (source nodes): A key management mechanism isused to exchange n shared keys with the sink nodes (one for each layer);The source node generates a n × n lower triangular matrix A in whicheach of the non-zero entries is an element from the multiplicative groupof the finite field, α ε F_(q)\{0}; The coefficients corresponding to adistinct line of the n × n identity matrix are added to the header ofeach coded packet. These correspond to the unlocked coefficients. Eachline/of the matrix A is encrypted with shared key K₁ and placed in theheader of each packet. These coefficients correspond to the lockedcoefficients; The source node applies the matrix A to the packets to besent, and places them in its memory. Initialization (relay nodes): Eachnode initializes n buffers, for each layer in the network. Operation atrelay nodes: When a packet of layer I is received by a node, the nodestores the packet in the corresponding buffer; To transmit a packet oflayer I on an outgoing link, the node produces a packet by forming arandom linear combination of the packets in buffers 1, . . . , /,modifying both the unlocked and locked coefficients without distinction,according to the rules of standard RLNC based protocols. Decoding (sinknodes): When sufficient packets are received: The sink nodes performGaussian elimination on the matrix of unlocked coefficients, applyingthe same operations to the remainder of the packet, thus obtaining theoriginal locked coefficients and coded packets; The receiver thendecrypts the locked coefficients using the corresponding keys Ki forlevel I; The receiver performs forward substitution on the packets usingthe locked coefficients to recover the original packets; The receiverdecrypts the encrypted symbols to form the original plaintext.

Bringing security to multiresolution video may be accomplished via atriangular encoding matrix. As seen, upon generating a new GoP, thesource divides it into vectors b ⁽¹⁾ . . . b ^((w)), mixing all layers,and applies the matrix A to each of them to obtain the payload, that is:c^((i))=Ab ^((i)).

Referring now to FIG. 5, a plurality of different key layers are used toencrypt a corresponding plurality of different lines of a matrix A. Asillustrated in FIG. 5, the encryption of the locked coefficientsincludes a first layer which corresponds to the first line of the matrixand is encrypted with the key for layer 1. The remaining lockedcoefficients are encrypted line by line according to a similarmechanism. This concept achieves security since only the recipients withthe corresponding keys can decode the encrypted line, and consequentlythe layer.

It should be appreciated that standard network coding operations can beemployed over the unlocked coefficients also when the layers areencrypted with different keys. Furthermore, even if packets fromdifferent layers are combined, reverting the operations through the useof unlocked coefficients subsequently reverts all combinations ofdifferent layers, so that the original information can be recovered (forsimplicity of the discussion, and without loss of generality, oneconsiders matrix A to have one row per layer 3).

It should be noted that traditional RLNC mixes all packets by using afull square matrix. This, however, is not suitable for layered coding,since it is not possible to extract individual layers unless one matrixis used for each layer. The triangular matrix coding described hereineffectively mixes the layers, allowing for differentiated recovery ofsuccessive layers by nodes with different access levels, while relyingon the dissemination of lower-level packets to achieve the resiliencenecessary for higher-level packets to be delivered in a timely fashion.Moreover, the triangular matrix form provides priority to the baselayer, as all upper layer packets contain the base layer. Thus, thecommon prioritization and scheduling of the base layer is solved in anatural way. Below is provided a comparison of the concept and schemedescribed herein with traditional RLNC addressing scheduling andprioritization issues.

The choice of a triangular matrix further meets two importantrequirements. First, it allows removal of the arbitrary delay introducedby a typical RLNC full-matrix at the source, since the source can codepackets as soon as they are generated and does not have to wait for theend of the generation to send them. Furthermore, the use of a triangularmatrix also allows for a unique mapping between the unlocked and lockedcoefficients that does not compromise security: a non-zero unlockedcoefficient in column i corresponds to the combination of packets p₁, .. . p_(i) inside the corresponding packet. This is a way of determiningthe layer of a packet at relay nodes and allow the use of the feedbackstrategies for minimizing the decoding delay mentioned above.

Next described is a model used to perform a security analysis. LetA=(a_(ij)) be the n×n lower triangular encoding matrix used forperforming coding at the source. Each of the non zero coefficientsa_(ij), i≧j is uniformly distributed over all non-zero elements of afinite field F_(q), q=2^(u), and mutually independent.

Let the original data, or plaintext, be a sequence of w vectors b ⁽¹⁾ .. . b ^((w)), in which b ^((x))=(b₁ ^((x)), b₂ ^((x)), . . . , b_(n)^((x)))^(T), 1≦x≦w. All vectors b ^((x)) are independent of A. It isassumed that the successive refinement algorithm used to generatescalable video is optimal. Thus, P(B_(l)=b_(l))=(q−1)⁻¹,∀b_(i)εF_(q)\{0}. For simplicity in the proofs, it is assumed that theplaintext is pre-coded to remove zeros. This can be achieved by mappingelements of F_(q) into F_(q−1), thus incurring a negligible rate penaltyof (q−1)/q.

The proofs are generalized to include more than one encrypted symbol peruse of the encoding matrix. Also, m represents the number of encryptedsymbols per reuse of the encoding symbols. We abstract from theparticular cypher used for locking the coefficients. For the plaintext,the use of a stream cypher is assumed such that the probability of theoutput of the encoding operation E(P, K) is independent of the plaintextP and the distribution of the output is uniform among all non-zeroelements of F_(q)\{0}, that is, P(E(P, K))=(q−1)⁻¹. The parameters ofthe cypher should be adjusted to approximate these criteria. In theproofs, to obtain these properties, one considers the use of a one timepad in which one symbol of the key is used for each symbol of theplaintext that is encrypted. The key is represented by w random vectorsK⁽¹⁾ . . . K^((w)), each with m positions (that is, with wm symbols ofkey in total). Furthermore, P(K_(i)=k_(i))=(q−1)⁻¹, ∀k_(l)εF_(q)\{0}.

The vector to which the matrix is applied, that is, the vector (E(b₁, K₁⁽¹⁾, . . . , E(b_(m) ^((x)), K_(m) ^((x))), b_(m+1) ^((x)), . . . ,b_(n) ^((x)))^(T), is denoted e ^((x)). Each payload vector isrepresented by c ^((x))=(c₁ ^((x)))^(T), where x corresponds to reuse xof A andC _(i) ^((x))=(^(min(1),)/Σ/_(j=1))a _(ij) E(b _(j) ^((x)) ,K _(j)^((x))+(^(i)/Σ/_(l=m+1))a _(il) b ₁ ^((x)).

In the description herein, random variables are described in capitalletters and instances of random variables are represented in lowercaseletters. Vectors are represented by underlined letters and matrices arerepresented in boldface. Without loss of generality, one can abstractfrom the network structure and consider the payload of all packetstogether in the security proofs. Characterized below is the mutualinformation (denoted by l(∘; ∘)) between the encoded data and the twoelements that can lead to information disclosure: the encoding matrixand the original data itself. Theorem 1 evaluates the mutual informationbetween the payload and the encoding matrix, and Theorem 2 evaluates themutual information between the payload and the original data.

Theorem 1: The mutual information between A and AE(1), AE(2), . . . ,AE(w) is zero:l(A;AE ⁽¹⁾ ,AE ⁽²⁾ , . . . ,AE ^((w)))=0.

Theorem 1 is a generalization of the result in Equation 24 and showsthat the cost of a statistical attack on the encoding matrix is the costof a brute-force attack on all entries of the matrix, independently ofthe number of reuses.

Theorem 2: The mutual information between B ⁽¹⁾, . . . , B ^((w)) and AE⁽¹⁾, . . . , AE ^((w)) is given by the expression:l( B ⁽¹⁾ , . . . ,B ^((w)) and AE ⁽¹⁾ , . . . ,AE^((w)))=log(q−1)max(f(w,n,m),0).where f (w, n, m)=w (n−m)−(^(n(n+1))/₂).

The equation in Theorem 2 shows that the cost of attacking the plaintextis the cost of discovering the encoding matrix. Thus, one gets athreshold at which there is a reduction of the search space needed toattack the plaintext due to multiple reuses of the matrix A. Notice thatthere is no disclosure of the plaintext with a single use of theencoding matrix. Below the number of uses in the threshold, the mutualinformation is 0 and thus, it is not possible to perform a statisticalattack on the payload. When the number of uses of the encoding matrixsurpasses the threshold, the mutual information grows with w. In theextreme case in which the number of encrypted symbols is equal to thenumber of symbols in the matrix, the mutual information is always zero(however, in this case, one would not require the encoding matrix to behidden).

The triangular matrix grants unequal protection to the layers of theplaintext. One can easily see that the search space for discoveringlayer i+1 is larger than the search space to discover layer i. Take, forinstance, the case in which m=0—then, for layers i and i+1, an attackerneeds to guess, respectively, i and i+1 entries of the matrix.

It is believed that the expression in Theorem 2 allows fine tuning thetrade-off between complexity and security by varying n (the size of thematrix), m (the number of encrypted symbols) and the size of the field.

Referring now to FIG. 6, an exemplary system includes a source node S, arelay node R and a receiver which comprises a decoder D. Also shown inFIG. 6 are a multi-resolution stream and a key distribution system Kwhich are illustrated in phantom since they are external to the system.Consider a scenario such as the one in FIG. 1, with a systemarchitecture as depicted in FIG. 6, the different components of thesystem and their practical implications are next described.

The technique described herein requires shared keys between source nodesand destination nodes. While the specifics of a particular keydistribution mechanism are not relevant to the concepts describedherein, exemplary key distribution techniques include, but are notlimited to, offline pre-distribution of keys or authentication protocolssuch as Kerberos or a Public Key Infrastructure (PKI). It should benoted that the need for keys to be shared among several legitimate nodesin a network arises frequently in multicast scenarios and is commonlydenominated as broadcast encryption or multicast key distribution.Layer/nodes should keep/keys (one for each layer), and thus, the numberof keys exchanged is equal to Σ(^(L)/_(l=1)) It_(l), in which t_(l)represents the number of recipients of layer l in the network and L thetotal number of layers in the stream.

With respect to multiresolution encoder encoding and security the mainrequirements of security protocols for multimedia streams are: (i) towork with low complexity and high encryption efficiency, (ii) to keepthe format and synchronization information and (iii) to maintain theoriginal data size and compression ratio. As can be seen from thedescription provided herein, the scheme described herein has beendesigned to meet criterion (i). Criterion (ii) is codec-dependent, butin general the scheme described herein is able to meet it. Taking, forexample, the MJPEG video codec4, one can use the JPEG2000 option ofplacing all headers from all blocks of the image on the main header ofthe and satisfy criterion (ii). Finally, network coding does not changethe size or compression ratio of the stream, so the scheme describedherein satisfies criterion (iii).

As also shown herein, the maximum level of security is obtained when thecompression is optimal and yields a result that is nearly uniform. Thus,the scheme described herein imposes a set of parameters for the codec inorder to maximize the entropy of the file. In the MJPEG codec, two suchcoding decisions would be to choose larger tile sizes and maximumcompression rate on the arithmetic coding step. Another approach wouldbe to perform an extra data protection step together with compression.The size of the base layer can be seen as another parameter to increasethe compression ratio. As an example, in JPEG2000, each encoded symbolincreases the resolution of the stream, therefore it is possible to varythe size of each layer taking the constraints of the security mechanisminto consideration.

The source encoder node S includes security, loss recovery and networkcoding modules. The security module and its interoperation with networkcoding are described herein e.g. in conjunction with FIG. 4 above.

However, it should be appreciated that more than one row of the matrixfor each layer is used. In that case, the mapping between the unlockedand locked coefficients suffers a shift: if 2 packets per layer areused, a packet with unlocked coefficients vector (1, 1, 0, . . . 0)belongs to layer 1 and a packet with vector (1, 1, 1, 0, . . . 0)belongs to layer 2. The division of the payload into vectors should alsoaccommodate this shift. Codecs in which each new symbol (decoded inorder) contributes to increased resolution of the output video (such asthe MJPEG2000) might benefit from an approach with a finer granularity.This granularity can be fine-tuned by the number of lines of theencoding matrix that belong to each layer. Another important systemrequirement is to use an encryption mechanism for which the ciphertextis of the same size of the plaintext (e.g. AES in stream cipher mode) inorder to keep the size of the symbols constant.

An important aspect of the encoder is the rate at which intermediatenodes generate and send linear combinations to the receiver, if a relaygenerates and forwards a linear combination every time an innovativepacket from the server is received, then many redundant packets mayarrive at destinations. To solve this issue, the server generates acredit for each coded packet, which is further assigned to one of theintermediate relays. Next, only the relay who receives also the creditassociated with the packet is allowed to send a linear combination.

After transmitting a complete generation, and before streaming the nextone, the server starts the loss recovery process. To recover lostpackets, the server sends redundant linear combinations for each layer,mixing all packets of the layer. This process continues until all thereceivers for that layer can decode or the server has another segment tostream.

The network encoder is a component of the wireless relays of the networkand includes layer classification and network coding. As describedabove, packets of layer l should only be combined with packets of lowerlayers, i.e., l, l−1, . . . 1. This is done in order to maintain thediversity of layers in the network, because when combining a packet oflayer l with layer l+1, the layer of the resulting packet is l+1. Afterclassifying the packet, a relay generates and forwards a linearcombination if he received the credit assigned to that packet.

The decoder is a component of the receiver that includes security,decoding and buffering and feedback. When enough packets are received,the receiver performs Gaussian elimination to decode packets using theunlocked coefficients. The security process corresponds to the recoveryof the locked coefficients and encrypted symbols of the payload and isexplained above.

Since in the scheme described herein relay nodes perform coding on thepackets of the same (and lower) layers, the shape of the triangularmatrix sent by the source is not kept through the network. Thus, areceived packet, even if innovative in terms of rank, might not bedecodable immediately. Hence, the system described herein requires adecoding buffer at the receivers. This decoding buffer takes intoaccount the maximum allowable delay of the video stream, similar to theplay buffer at the receivers, and will preemptively flush the currentundecoded packets if the delay requirement is not met. Once a full layeris decoded, it is stored in the playback buffer.

A node starts the playback once it decodes a number of segments in thelowest quality. If a frame is not received unto the time of playback,then it is discarded and the subsequent frame is played instead.Likewise, if the frame is available in a lower quality, it is played ina lower quality than the one the node has access to. At time step k thenode plays segment k in the quality in which it is available. If thesegment was not decoded (not even in the lowest quality), then the nodestops the playback process and starts buffering. If after some bufferingtimeout, the node decodes segment k, then it plays it in the quality inwhich it is available; otherwise, the node skips segment k and plays thenext one.

Considering a system with minimal feedback, in order to free thewireless channels from unnecessary transmissions, the receivers sendpositive feedback to the server whenever they decode a segment in thedesired quality. For example, a layer 3 receiver sends a unique feedbackpacket when it has decoded layers 1, 2 and 3.

Next described is an evaluation of the system described herein in termsof security complexity as well as an evaluation of system performance ina lossy wireless scenario.

Referring now to FIG. 7, a volume of data to be encrypted according tothe size of the plaintext for the scheme described herein is comparedwith traditional encryption, for typical packet sizes of 500 bytes (forvideo packets in cellular networks), 1000 bytes (for example, for videoover wifi networks) and 1500 bytes (the typical IP packet size). In thisexample, one encrypted symbol per generation is assumed. For traditionalencryption mechanisms, which perform end-to-end encryption of the entirepayload, the volume of data that must be encrypted increases linearlywith the size of the protected payload. It is not difficult to see thatthe scheme described herein substantially reduces the size ofinformation to be encrypted. The gains get higher as the maximum size ofthe packet increases, since the number of matrices to be generated issmaller, and more data can be sent in each packet containing the samematrix of coefficients.

Naturally, the required number of cryptographic operations is directlyrelated to the volume of data to be encrypted. If one considers a streamcipher, the number of encryption operations increases linearly with thatvolume, and therefore, the computational complexity is greatly reducedby the novel scheme described herein as shown in FIG. 7. Note that thesevalues are indicative only, and correspond to the theoretical gains whenthe size of the packet is the only parameter determining the number ofreuses of the encoding matrix. The security penalty, which is quantifiedin above, is not considered for the purposes of this analysis. Note aswell that the end values depend on the design of the codec, as we as onthe size chosen for each layer.

Communication and Computational overhead are next discussed.

The ability reduce the volume of data to be encrypted comes at the costof including locked coefficients in the data packet.

Table II shows the overhead introduced by novel scheme described hereinfor each packet and for coefficients with size of 8 and 16 bits, forsome values of reference for wireless networks with nodes with severalprocessing capabilities.

TABLE II VOLUME OVERHEAD OF LOCKED COEFFICIENTS (PER PACKET). MAXIMUM IP#CODED OVERHEAD IN F_(q) PACKET SIZE PACKETS h q = 2⁸ q = 2¹⁶ 500 40.80% 1.60% 8 1.60% 3.20% 12 3.20% 6.40% 1000 4 0.40% 0.80% 8 0.80%1.60% 12 2.40% 4.80% 1500 4 0.27% 0.53% 8 0.53% 1.07% 12 0.80% 1.60%

Note that the inclusion of locked and unlocked coefficients allowsavoidance of the use of homomorphic hash functions, which are veryexpensive in terms of computation.

Due to the inclusion of an extra set of coefficients (the lockedcoefficients), the novel scheme described herein requires additionaloperations, which are shown in Table III. For the purpose of theanalysis described herein, it is considered that, in comparison to themultiplication, the sum operation yields negligible complexity.

TABLE III COMPUTATIONAL COST OF INCLUDING THE LOCKED COEFFICIENTSDETAILED TOTAL NODE OPERATION COST COST Source Generation of vectors ofnegligible — Node identity matrix Encryption of locked See Section V-A1coefficients Relay Performing extra random nh multiplication O(nt) Nodelinear operations on locked operations and coefficients (combining t (n− 1)h sum packets) operations Sink Decrypt locked coefficients SeeSection V-A1 O(n2) Node to obtain the matrix ML of plain-text lockedcoefficients Forward-substitution using O(n2) recovered lockedcoefficients Decrypt one encrypted See Section V-A1 symbol per use ofthe encoding matrix

Next described is wireless video performance. An evaluation is providedof the performance of the protocol described above in the multi-hopmulti-path scenario from FIG. 1, in which the server S sends video tothree (3) heterogeneous receivers A, B and C, through relays R1, R2 andR3, over lossy wireless links. In the description hereinbelow, the focusis solely on the performance of the scheme in terms of throughput androbustness to losses, and its ability to deliver quality video to aheterogeneous set of receivers. The novel layered network coding model(scheme NC1) described herein is compared to a standard RLNC (schemeNC2) and also to an implementation without network coding (scheme WoNC).In scheme NC2 the server sends a different stream for every layer. Eachsegment is encoded in different qualities, using a full coefficientmatrix for each layer. Relay nodes perform RLNC operations on thereceived packets that belong to the same generation and to the same orlower layers. In this case, since a sink of layer L needs to receive afull-rank matrix for layers 1, 2, . . . L, sinks acknowledge each layerthat they decode. Error recovery is similar to scheme NC1. In schemeWoNC, the server sends the native packets without coding them, in thiscase, the intermediate nodes just forward uncoded packets normally. Thesinks send as feedback the ids of the packets they received. If somepackets are lost, the server retransmits them.

A simulation setup is next described. The ns-2 simulator 2.33 describedin S. Mccanne, S. Floyd, and K. Fall, “ns2 (network simulator 2),”http://www-nrg.ee.lbl.gov/ns/ with the default random number generatoris used for this version. The network coding libraries are independentlyprogrammed. The video stream is a constant bit rate traffic over UDP,where the server is streaming at 480 kbps during 100 seconds. Each layerhas a fixed size of 20 packets and three (3) layers for the system areconsidered. This yields a generation of 60 packets, corresponding to 1second of video. The packet size is 1000 bytes. As a propagation model,two-ray ground is used and the loss probability P_(loss) is taken as asimulation parameter. Since it was shown that RTS/CTS has a negativeimpact on the performance, it was disabled for all experiments. In orderto simulate heavy loss conditions, MAC layer retransmissions were alsodisabled. The rate at the MAC layer is 11 Mbps.

The receivers start to playback the video stream once they have decodedat least five (5) segments of the lowest quality. The buffering timeoutfor a segment that has not been decoded until its playback deadlinearrives is set to one (1) second. Furthermore, a perfect feedbackchannel is assumed (that is, no feedback packets are lost). In order totake full advantage of the broadcast nature of the wireless medium, therelays listen to transmitted packets in promiscuous mode.

The following metrics: (i) played rate at the receivers, (ii) initialbuffering delay, the time interval from receiving the first packet tothe beginning of the playback, (iii) decoding delay, the time elapsedfrom receiving the first packet of a segment until that segment isdecoded, (iv) skipped segments, percentage of segments skipped atplayback, (v) lower quality segments, percentage of segments played inlower quality than the one requested, (vi) playback quality, averagequality in which each segment is played and (vii) load on the server,defined as the ratio between the total rate sent by the server and thestreaming rate. In all plots, each point is the average of 10 runs andthe vertical lines show the standard deviation.

FIGS. 8-14 illustrate results achieved via the concepts, techniques andsystems described herein.

Referring now to FIG. 8, the rate played by each receiver vs. lossprobability is shown. Played rate as a function of loss probabilityP_(loss), for the technique described herein (NC1), three streams withnetwork coding (NC2) and without network coding (WoNC) as shown. As canbe seen from examination of FIG. 8, scheme NC1 and scheme NC2 are lessaffected by losses, due to the inherent reliability of network coding involatile environments, with the scheme described herein performingconsistently better. Scheme WoNC, as expected, performs poorly as themedium becomes unreliable.

Referring now to FIG. 9, the load on the server in function of the lossprobability P_(loss) is shown. One can see in FIG. 9 that the load onthe server grows exponentially as the loss increases. In general, thenetwork coding approaches need to send less coded packets to recoverlosses. At P_(loss)=0.9, the load is slightly higher for network codingsince the server preemptively sends redundant packets until it receivesthe feedback from the receiver that the segment is decoded, while forscheme WoNC the server retransmits packets only when it receivesfeedback from the receivers. Since most of the packets are dropped,scheme WoNC never retransmits.

Referring now to FIG. 10 CDF of decoding delay for loss probabilityP_(loss)=0.4, for layer 3 is shown. FIG. 10 shows that the networkcoding approaches are able to decode segments within a second as theserver sends redundant linear combinations in a feed-forward manner.Scheme WoNC needs a longer decoding time, because the server waits forthe feedback before retransmitting. The plot shown corresponds to alayer 3 receiver and the behavior for other layers is similar.

Referring now to FIGS. 11 and 12, these figures show the percentage ofsegments that are skipped and played in lower quality, respectively.Note that with network coding, no segments are skipped for any layers,and, as expected, more segments are played in lower quality as thelosses increase. On the other hand, without network coding, there arefewer segments played in lower quality, but at the same time thepercentage of skips grows significantly with ploss, because the packetsretransmitted by the server do not arrive at the receivers in due time.This effect is exacerbated at higher losses, where no segment is everplayed (and hence never skipped either).

Referring now to FIG. 13, Initial buffering delay in function of lossprobability ploss, for layer 3 is shown. One can see in FIG. 13 that forour scheme, the receivers buffer for a shorter time before starting theplayback. The initial buffering delay grows slowly with the probabilityof loss, because a single network coded packet can recover multiplelosses. For scheme WoNC, when losses are high, the receivers are notable to decode anything, thus they never start to play the file.

The plots shown in FIGS. 11 and 13 correspond to layer 3. The behaviorfor other layers is similar and slightly better, since layer 3 receiversneed to receive more packets than lower layer nodes.

Referring now to FIG. 14, a plot of Played quality for P_(loss)=0.4 isshown. FIG. 14 shows the average quality in which every segment isplayed, when P_(loss)=0.4. A skipped segment accounts as played in aquality equal to 0. Note that the network coding approaches show a highresilience to errors and the video file is constantly played in thedesired quality by each receiver compared to scheme WoNC, again with ourscheme showing better performance.

Finally, it should be noted that the scheme described herein outperformsscheme NC2 due to the triangular encoding matrix used for coding and tothe nested structure of the video layers. These characteristics resultin a higher robustness to losses (FIG. 8), better video quality withfewer skips and fewer segments played in lower quality (FIG. 12) andshorter buffering delay (FIG. 13).

Described herein is a practical scheme for scalable video streaming thatexploits the algebraic characteristics of random linear network coding(RLNC).

On the one hand, the concepts, systems and schemes described hereinensure differentiated levels of security for distinct users. On theother hand, the properties of the network coding paradigm assure theresilience to packet losses over wireless channels. The securityevaluation proves that it is possible to reduce significantly the numberof encryption operations (or, equivalently, the complexity requirements)while quantifying the security levels.

It should be noted that the system and techniques described herein werefocused on eavesdropping attacks. Network pollution attacks can be dealtwith using conventional techniques in albeit some conventionaltechniques have added in terms of delay and complexity.

As part of our ongoing work we are looking at ways to mitigate theeffects of such Byzantine attacks under the real-time constraints ofstreaming services.

Having described preferred embodiments of the invention it will nowbecome apparent to those of ordinary skill in the art that otherembodiments incorporating these concepts may be used. Accordingly, it issubmitted that that the invention should not be limited to the describedembodiments but rather should be limited only by the spirit and scope ofthe appended claims.

The invention claimed is:
 1. A method for streaming video data in anetwork including a server node, a plurality of relay nodes and one ormore receiver nodes and including a set of security operations and videostreaming operations with network coding, the method comprisingperforming a one-time key distribution between the source node and eachof the one or more receiver nodes; dividing the video data into one ormore group of pictures (GoP), each of the more than one group ofpictures having a predetermined time of duration; for each group ofpictures (GoP), generating at the source node and an n×nlower-triangular matrix A, in which l is a number of layers in the GoPwherein there are n_(j) rows in the matrix A for each layer, andn=n_(l)l and wherein matrix A is used for encoding at the source onlyand each non-zero entry of matrix A is an elemental a_(ij) chosenuniformly at random from all non-zero elements of the field F_(g)\{0};dividing the GoP into a plurality of vectors b⁽¹⁾ . . . b^((w)), each ofthe vectors having n symbols b₁-b_(n) in which positionsn_(l)(l_(j)−1)+1 to n_(l)l_(j) of each vector belongs layer l_(j);encrypting m_(l) symbols of each layer in vectors b^((i)) 1≦l≦w, with astream cypher and random keys k⁽¹⁾-k^((j)) where there is one key foreach layer; applying the encoding matrix A successively to theinformation symbols to be sent to provide a payload of one or morepackets, comprised of encoded information symbols; encrypting each n_(l)lines of a matrix A with a corresponding layer key, wherein the firstmatrix A corresponds to a locked coefficients matrix; generating an n×nidentity matrix corresponding to the unlocked coefficients wherein eachof the packets comprise a header and the payload and wherein the headercomprises the locked and unlocked coefficients; encoding the packets inrelay nodes in accordance with a random linear network coding (RLNC)protocol wherein algebraic coding is performed on unlocked coefficients,locked coefficients and payload and wherein the relay nodes identify thelayer of a packet by looking at the first non-zero position in theunlocked coefficients, and packets are mixed with packets of the same orlower layers only; and sending the first n_(l) lines of matrix Aunencrypted so as to make the base layer accessible to all nodes andwherein encryption of the locked coefficients then starts at row n_(l)+1such that layer 1 is accessible to all nodes in the network.
 2. Themethod of claim 1 wherein the time of duration is one second.
 3. Themethod of claim 1 wherein performing algebraic coding on unlockedcoefficients, locked coefficients and payload comprises performingalgebraic coding indistinguishably on unlocked coefficients, lockedcoefficients and payload.
 4. The method of claim 1 further comprising:applying, via the receivers, Gaussian elimination following standardRLNC over the unlocked coefficients; recovering the locked coefficientsby decrypting each line of the matrix with the corresponding key; andobtaining plaintext by a forward substitution process.
 5. The method ofclaim 1 wherein the protected symbols are encrypted with the key for thelowest level in the network such that all legitimate participants in theprotocol can decrypt the locked symbols.
 6. The method of claim 1further comprising starting the encryption of plaintext symbols atsymbol n_(l)+1, so that the base layer is accessible by all the nodes inthe network.
 7. The method of claim 1 wherein only a single key perlayer is used for multi-resolution encryption and wherein the single keyfor each layer is shared among all legitimate receivers for that layer.8. The method of claim 1 wherein in order to achieve maximum security,encrypting comprises encrypting the base layer of the GoP.
 9. The methodof claim 6 wherein encrypting m_(l) symbols of each layer in vectors b^(i) 1<=l<=w, with a stream cypher and random keys k⁽¹⁾-k^((l)) yieldspayload vectors of the form:c ^((i)) =A(E(b ₁ ^((i)) ,k ⁽¹⁾), . . . ,E(b _(m) _(l) ^((i)) ,k ⁽¹⁾),b_(m) _(l) ₊₁ ^((i)) , . . . ,b _(n) _(l) ^((i)),E(b _(n) _(l) ₊₁ ^((i)) ,k ⁽²⁾), . . . ,E(b _(n) _(l) _(+m) _(l) ^((i)),k ⁽²⁾),b _(n) _(l) _(+m) _(l) ₊₁ ^((i)) , . . . ,b _(2n) _(l) ^((i)),. . . ,E(b _(n) _(l) _((l−1)) ^((l)) ,k ^((l))), . . . ,E(b _(n) _(l)_((l−1)+m) _(l) ^((l)) ,k ^((l))),b _(n) _(l) _((l−1)+m) _(l) ₊₁ ^((i)), . . . ,b _(n) ^((i)))^(T) and wherein composing a payload of thepackets includes forming the payload by concatenating vectors c ⁽¹⁾ to c^((w)).
 10. The method of claim 7 wherein encrypting each line of matrixA with a corresponding layer key comprises encrypting each line ofmatrix A with a corresponding layer key via the source.
 11. The methodof claim 7 wherein: a packet from layer l_(j) corresponds to rowsn_(l)(l_(j)−1)+1 to n_(l)l_(j) of matrix A.
 12. The method of claim 1wherein when performing a linear combination of one packet of layer xwith a packet of layer y>x, the resulting packet belongs to layer y. 13.A system for streaming video data in a network, the system comprising:(a) a server node for dividing the video data into more than one groupof pictures (GoP), each of the more than one group of pictures having apredetermined time of duration wherein for each group of pictures (GoP),the source node generates an n×n lower-triangular matrix A, in which lis the number of layers in the GoP and n=n_(l)l and wherein matrix A isused for encoding at the source only and each non-zero entry of matrix Ais an element a_(ij) chosen uniformly at random from all non-zeroelements of the field F_(q)\{0} and the source divides the GoP into aplurality of vectors b ⁽¹⁾ . . . b ^((w)), each of the vectors having nsymbols b₁-b_(n) in which the symbol from index n_(l)(l_(j)−1)+1 tpn_(l)l_(j) belong to layer l_(j) of the GoP and wherein the number ofvectors created is computed as size of GoP/n and wherein the source nodeencrypts m_(l) positions of each layer of each vector b ^((i)) yieldingm encrypted positions in total for each use of the encoding matrixwherein the output of the operation of a stream cypher on a symbol Pwith a random key K is denoted as E(P, K) and applies the encodingmatrix A successively to the information symbols to be sent to provideencoded information symbols which comprise a payload of one or morepackets wherein encrypting m_(l) symbols of each layer in vectorsb^((i)) 1<=l<=w, with a stream cipher and random keys k⁽¹⁾-k^((l))yields payload vectors of the form:c ^((i)) =A(E(b ₁ ^((i)) ,k ⁽¹⁾), . . . ,E(b _(m) _(l) ^((i)) ,k ⁽¹⁾),b_(m) _(l) ₊₁ ^((i)) , . . . ,b _(n) _(l) ^((i)),E(b _(n) _(l) ₊₁ ^((i)) ,k ⁽²⁾), . . . ,E(b _(n) _(l) _(+m) _(l) ^((i)),k ⁽²⁾),b _(n) _(l) _(+m) _(l) ₊₁ ^((i)) , . . . ,b _(2n) _(l) ^((i)),. . . ,E(b _(n) _(l) _((l−1)) ^((l)) ,k ^((l))), . . . ,E(b _(n) _(l)_((l−1)+m) _(l) ^((l)) ,k ^((l))),b _(n) _(l) _((l−1)+m) _(l) ₊₁ ^((i)), . . . ,b _(n) ^((i)))^(T) and wherein composing a payload of thepackets includes forming the payload by concatenating vectors c⁽¹⁾ toc^((w)) and the source node encrypts each line of a first matrix A witha corresponding layer key wherein the first matrix A corresponds to alocked coefficients matrix and generates an n×n identity matrixcorresponding to the unlocked coefficients wherein each of the one ormore packets comprise a header and the payload; (b) a plurality of relaynodes wherein the one or more packets are encoded in the relay nodes inaccordance with a random linear network coding (RLNC) protocol, whereinthe relay nodes identify the layer of a packet by looking at the firstnon-zero position in the unlocked coefficients, and packets are mixedwith packets of the same or lower layers only; and (c) one or morereceiver nodes wherein the header comprises the locked and unlockedcoefficients and encodes the one or more packets.